Move sys-libs/pam to portage-stable

.github/workflows/portage-stable-packages-list

@@ -558,6 +558,7 @@ sys-libs/libsepol
 sys-libs/libunwind
 sys-libs/liburing
 sys-libs/ncurses
+sys-libs/pam
 sys-libs/readline
 sys-libs/talloc
 sys-libs/tdb

changelog/updates/2024-03-04-pam.md

@@ -0,0 +1 @@
+- pam ([1.5.3](https://github.com/linux-pam/linux-pam/releases/tag/v1.5.3))

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r5.ebuild

@@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
-IUSE="audit ntp openssh policycoreutils"
+IUSE="audit ntp openssh pam policycoreutils"
 
 # No source directory.
 S="${WORKDIR}"
@@ -33,6 +33,7 @@ RDEPEND="
         >=app-shells/bash-5.2_p15-r2
         ntp? ( >=net-misc/ntp-4.2.8_p17 )
         policycoreutils? ( >=sys-apps/policycoreutils-3.6 )
+        pam? ( >=sys-libs/pam-1.5.3-r1 )
         audit? ( >=sys-process/audit-3.1.1 )
 "
 
@@ -119,6 +120,16 @@ src_install() {
             ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
         )
     fi
+    if use pam; then
+        compat_symlinks+=(
+            ['/usr/lib/pam/access.conf']='/usr/share/flatcar/etc/security/access.conf'
+            ['/usr/lib/pam/group.conf']='/usr/share/flatcar/etc/security/group.conf'
+            ['/usr/lib/pam/limits.conf']='/usr/share/flatcar/etc/security/limits.conf'
+            ['/usr/lib/pam/namespace.conf']='/usr/share/flatcar/etc/security/namespace.conf'
+            ['/usr/lib/pam/pam_env.conf']='/usr/share/flatcar/etc/security/pam_env.conf'
+            ['/usr/lib/pam/time.conf']='/usr/share/flatcar/etc/security/time.conf'
+        )
+    fi
 
     local link target
     for link in "${!compat_symlinks[@]}"; do

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch

@@ -0,0 +1,28 @@
+From a2f4387b53591c666a6364cafe7cfa2d8907e0f5 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <[email protected]>
+Date: Tue, 5 Apr 2016 22:15:56 -0700
+Subject: [PATCH] Add account locking
+
+A leading exclamation mark in the password field in /etc/shadow
+indicates a locked account.
+---
+ modules/pam_unix/support.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 043273d2..37091020 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -834,6 +834,9 @@ _unix_verify_user(pam_handle_t *pamh,
+         return retval;
+     }
+
++    if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
++        return PAM_PERM_DENIED;
++
+     if (retval == PAM_SUCCESS && spent == NULL)
+         return PAM_SUCCESS;
+
+-- 
+2.34.1
+

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md

@@ -0,0 +1,5 @@
+The patch adds some locking behavior. Upstream didn't want it:
+https://github.com/linux-pam/linux-pam/issues/261.
+
+Possibly it should be dropped in favor of `chage -E 0`, as mentioned
+in the issue.

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -96,6 +96,9 @@
 # Needed to fix CVE-2023-29491.
 =sys-libs/ncurses-6.4_p20230527 ~amd64 ~arm64
 
+# Drops the use of usr-ldscript eclass.
+=sys-libs/pam-1.5.3-r1 ~amd64 ~arm64
+
 # A dependency of app-shells/bash version that we need for security
 # fixes.
 =sys-libs/readline-8.2_p7-r1 ~amd64 ~arm64

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use

@@ -7,10 +7,11 @@ app-editors/vim		minimal -crypt
 # minimal: Don't pull app-vim/gentoo-syntax
 app-editors/vim-core	minimal
 
-# Install our modifications and compatibility symlinks for ssh and ntp
+# Install our modifications and compatibility symlinks for audit, ntp,
+# pam and ssh.
 #
 # Install a SELinux policy directory symlink
-coreos-base/misc-files audit ntp openssh policycoreutils
+coreos-base/misc-files audit ntp openssh pam policycoreutils
 
 dev-lang/python		gdbm
 dev-libs/dbus-glib	tools

sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest

@@ -0,0 +1,2 @@
+DIST Linux-PAM-1.5.3-docs.tar.xz 466340 BLAKE2B 6bade3c63ebe6b6ca7a86d7385850bb87bf1d6526add3ac5aad140533516c1d27b594a17d09c4127ff985c42e6c571618785d6b2a2913e6575678c4dcf947dc0 SHA512 a9082823da88e0054d74e13aef872519ced5fbef25c8cc1a7e3a99160f835aa09c9ef701b6ec507acd3b540da0019288424bb4c8ebd828181ea90450db1494a9
+DIST Linux-PAM-1.5.3.tar.xz 1020076 BLAKE2B 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb SHA512 af88e8c1b6a9b737ffaffff7dd9ed8eec996d1fbb5804fb76f590bed66d8a1c2c6024a534d7a7b6d18496b300f3d6571a08874cf406cd2e8cea1d5eff49c136a

sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.3-termios.patch

@@ -0,0 +1,34 @@
+Replace System V termio.h with POSIX termios.h for musl
+Upstream: https://github.com/linux-pam/linux-pam/pull/576
+Bug: https://bugs.gentoo.org/906137
+
+From 5658105b04ad4df212baf302898ee2cca99516a6 Mon Sep 17 00:00:00 2001
+From: Violet Purcell <[email protected]>
+Date: Thu, 11 May 2023 10:27:53 -0400
+Subject: [PATCH] fix build on musl
+
+--- a/examples/tty_conv.c
++++ b/examples/tty_conv.c
+@@ -6,8 +6,9 @@
+ #include <string.h>
+ #include <errno.h>
+ #include <unistd.h>
+-#include <termio.h>
++#include <termios.h>
+ #include <security/pam_appl.h>
++#include <sys/ioctl.h>
+
+ /***************************************
+  * @brief echo off/on
+@@ -16,7 +17,7 @@
+  ***************************************/
+ static void echoOff(int fd, int off)
+ {
+-    struct termio tty;
++    struct termios tty;
+     if (ioctl(fd, TCGETA, &tty) < 0)
+     {
+         fprintf(stderr, "TCGETA failed: %s\n", strerror(errno));
+-- 
+2.40.1
+

sdk_container/src/third_party/portage-stable/sys-libs/pam/metadata.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>[email protected]</email>
+	</maintainer>
+	<maintainer type="person">
+		<email>[email protected]</email>
+		<name>Sam James</name>
+	</maintainer>
+	<use>
+		<flag name="berkdb">
+			Build the pam_userdb module, that allows to authenticate users
+			against a Berkeley DB file. Please note that enabling this USE
+			flag will create a PAM module that links to the Berkeley DB (as
+			provided by <pkg>sys-libs/db</pkg>) installed in /usr/lib and
+			will thus not work for boot-critical services authentication.
+		</flag>
+		</use>
+	<upstream>
+		<remote-id type="github">linux-pam/linux-pam</remote-id>
+		<remote-id type="cpe">cpe:/a:kernel:linux-pam</remote-id>
+	</upstream>
+</pkgmetadata>